peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/models/issues
History
Mathieu Fenniak 733a390ecd fix: verify PR author has write access to head to support allow maintainers edit (#12292) 
When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.

Thanks to Arvin Shivram of Brutecat Security for discovering and responsibly disclosing the vulnerability.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12292
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-04-29 05:26:22 +02:00
..
TestGetParticipantIDsByIssue fix: don't display pending reviews as participants (#10528) 2026-01-06 10:47:21 +01:00
TestGetUIDsAndStopwatch feat: add foreign keys to stopwatch & tracked_time tables (#9373) 2025-10-01 00:31:38 +02:00
action_aggregator.go feat(ui): add links to review request targets in issue comments (#8239) 2025-07-23 04:45:58 +02:00
action_aggregator_test.go feat(ui): add links to review request targets in issue comments (#8239) 2025-07-23 04:45:58 +02:00
assignees.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
assignees_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
comment.go fix: when reviewing in PRs, make comments relative to viewed base & head, not just viewed head (#12107) 2026-04-14 17:18:14 +02:00
comment_code.go fix: relocate PR review comments using git blame --reverse, improving comment placement (#12015) 2026-04-11 21:45:39 +02:00
comment_list.go refactor: reduce code duplication when accessing DefaultMaxInSize (#11999) 2026-04-05 22:03:45 +02:00
comment_list_test.go perf: bulk load resolvers & reactions on pull request comments (#11988) 2026-04-05 14:37:09 +02:00
comment_test.go fix: relocate PR review comments using git blame --reverse, improving comment placement (#12015) 2026-04-11 21:45:39 +02:00
content_history.go chore: handle error types consistently (#9873) 2026-03-06 00:48:06 +01:00
content_history_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
dependency.go refactor: migrate from lib/pq to jackc/pgx (#10219) 2025-11-30 17:47:45 +01:00
dependency_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue.go fix: don't display pending reviews as participants (#10528) 2026-01-06 10:47:21 +01:00
issue_index.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_index_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_label.go fix: possible cause of invalid issue counts; cache invalidation occurs before a active transaction is committed (#10130) 2025-11-17 01:07:29 +01:00
issue_label_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_list.go refactor: reduce code duplication when accessing DefaultMaxInSize (#11999) 2026-04-05 22:03:45 +02:00
issue_list_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
issue_lock.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_project.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_project_test.go chore: merge tests.AddFixtures and unittest.OverrideFixtures (#7648) 2025-04-25 09:14:33 +00:00
issue_search.go refactor: replace Value() from Option[T] with Get() & ValueOrZeroValue() (#11218) 2026-02-10 16:41:21 +01:00
issue_stats.go chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
issue_stats_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_test.go chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
issue_update.go chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
issue_user.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_user_test.go refactor: migrate from lib/pq to jackc/pgx (#10219) 2025-11-30 17:47:45 +01:00
issue_watch.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_watch_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_xref.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_xref_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
label.go feat: improve label filtering exclusion (#10702) 2026-02-08 00:31:31 +01:00
label_internal_test.go fix: reduce deadlocks merging PRs w/ async milestone stat recalcs (#9916) 2025-10-31 15:53:45 +01:00
label_test.go feat: improve label filtering exclusion (#10702) 2026-02-08 00:31:31 +01:00
main_test.go chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
milestone.go refactor: replace Value() from Option[T] with Get() & ValueOrZeroValue() (#11218) 2026-02-10 16:41:21 +01:00
milestone_internal_test.go fix: reduce deadlocks merging PRs w/ async milestone stat recalcs (#9916) 2025-10-31 15:53:45 +01:00
milestone_list.go refactor: replace Value() from Option[T] with Get() & ValueOrZeroValue() (#11218) 2026-02-10 16:41:21 +01:00
milestone_test.go refactor: migrate from lib/pq to jackc/pgx (#10219) 2025-11-30 17:47:45 +01:00
moderation.go feat: render a link to poster profile next to the ID within shadow copy details (#10194) 2025-12-09 15:19:10 +01:00
moderation_test.go feat: render a link to poster profile next to the ID within shadow copy details (#10194) 2025-12-09 15:19:10 +01:00
pull.go feat: show link to pull requests targeting a non-default branch when pushing (#10079) 2025-11-19 14:59:13 +01:00
pull_list.go fix: verify PR author has write access to head to support allow maintainers edit (#12292) 2026-04-29 05:26:22 +02:00
pull_test.go feat: show link to pull requests targeting a non-default branch when pushing (#10079) 2025-11-19 14:59:13 +01:00
reaction.go refactor: reduce code duplication when accessing DefaultMaxInSize (#11999) 2026-04-05 22:03:45 +02:00
reaction_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
review.go fix: PR not blocked by review request for a whitelisted team (#8511) 2025-07-15 23:21:42 +02:00
review_list.go chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
review_test.go chore: ensure consistent import aliasing for services and models (#10253) 2025-11-30 17:00:57 +01:00
stopwatch.go feat: add foreign keys to stopwatch & tracked_time tables (#9373) 2025-10-01 00:31:38 +02:00
stopwatch_test.go chore: merge tests.AddFixtures and unittest.OverrideFixtures (#7648) 2025-04-25 09:14:33 +00:00
tracked_time.go chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
tracked_time_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00